[ovs-dev] [branch-2.9] Revert "flow: Fix buffer overread for crafted IPv6 packets."

Justin Pettit jpettit at ovn.org
Sat Jul 14 20:33:16 UTC 2018


This reverts commit 0760bd61a666e9fa866fcb5ed67f48f34895d2f6.

This patch was a cherry-pick from a bug fix in the master branch that
fixed an overread for IPv6 packets.  However, the backport introduced a
problem in older branches, since the code path is different.  In the
master branch, this check is done on the raw packet data, which starts
at the beginning of the IPv6 packet.  In older branches, this check is
done after a call to data_pull(), which subtracts the IPv6 header length
from the 'size' variable.  This means that valid IPv6 packets aren't
being processed since the check thinks they are too long.

CC: Ben Pfaff <blp at ovn.org>
Fixes: 0760bd61a66 ("flow: Fix buffer overread for crafted IPv6 packets.")
Signed-off-by: Justin Pettit <jpettit at ovn.org>

---
This patch should be backported to older branches starting with branch-2.9.
---
 lib/flow.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/flow.c b/lib/flow.c
index c78f46d6c15a..f9d7c2a74007 100644
--- a/lib/flow.c
+++ b/lib/flow.c
@@ -804,7 +804,7 @@ miniflow_extract(struct dp_packet *packet, struct miniflow *dst)
         nh = data_pull(&data, &size, sizeof *nh);
 
         plen = ntohs(nh->ip6_plen);
-        if (OVS_UNLIKELY(plen + IPV6_HEADER_LEN > size)) {
+        if (OVS_UNLIKELY(plen > size)) {
             goto out;
         }
         /* Jumbo Payload option not supported yet. */
-- 
2.17.1



More information about the dev mailing list